Mailing List Archive
tlug.jp Mailing List tlug archive tlug Mailing List Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]Re: [tlug] file permssions SCP
- Date: Fri, 23 May 2003 17:46:36 +0900
- From: Matt Doughty <wyndigo@example.com>
- Subject: Re: [tlug] file permssions SCP
- References: <MBBBKFNBGKOCHLHLBFPOEEJDCGAA.jc@example.com>
- User-agent: Mutt/1.4i
On Thu, May 22, 2003 at 08:50:13AM +0900, James Cluff wrote: <SNIP> > > Of course I realize that Unix is used for multiple users and that it would > be difficult to "fix" the system if I removed x privledges from other for > the entire system, but it also seems like it would be easier to nail down > security if by default users had no priveledges and then priveldges where > given to them by adding them to groups with priveledges. No I am not ready > to change my system that way, today, it is just a thought. here is another thought. What you want is a system that isn't *nix. You are correct that it is inherrently more secure to only grant access as needed, but that is a fundamentally different security paradigm. I would postulate that if you were to try to retrofit such a security model on a *nix system you would spend all your time trying to get the software that is used by the rest of the *nix world to work on your system. > > I have logged into many linux systems through the internet where I was able > to access a lot more of their system than I should have been able to since I > was practically an anonymous user and this always seemed like someone > screwed up, and if someone wanted to hijack this machine, they probably > could. Why do you think this? Because you can read a lot of directories you assume it is trivial to achieve priv. elevation? I assure you if I gave you a shell account on one of my boxen you could move all over the place, but good luck trying to crack it. You would certainly be the first. The reality is the ability to easily move around the file system is deceiving. The boxes were probably not nearly as open as you think. > > I did search quite a bit on the web before sending my e-mail, so did not > feel like it was a bad idea to see how other people handled this situation, > I thought that is what the list was for to share how we are using or would > like to use linux. > <SNIP> > > Because someone asks a question, it shouldn't be assumed they don't have > some answers already, or haven't researched the issue. I just wanted to > find out what everyone else was doing before I made a decision, I didn't > think that I was the only one on this list that may have had this issue. > It would be better if you showed that you had made an effort. If for example you said: "I found a possible solution is X and while Y is an option it doesn't really do what I want. How are you guys handling this sort of situation?" it would go a long way to negate the flood of RTFM and STFW responses. If you have made an effort please show us. I'm sure a few people on this list can tell you I reached a snapping point where I was being a serious BOFH to people because I got sick of all the RTFM questions. Now as for help. It sounds like you decided that a chroot jail is the solution for you, but another interesting option is apache and webdav. use that with SSL and MD5 digest auth. or something even more robust and you have a system that is inherently jailed, and doesn't require the creation of a system account. I would probably still go with scp but webdav provides and interesting alternative. --Matt
- References:
- [tlug] file permssions SCP
- From: James Cluff
Home | Main Index | Thread Index
- Prev by Date: [tlug] Job posting
- Next by Date: [tlug] [OT] [C&C] Tech support...
- Previous by thread: RE: [tlug] file permssions SCP
- Next by thread: [tlug] ppp hangup
- Index(es):
Home Page Mailing List Linux and Japan TLUG Members Links